Earlier last week n8fr8 suspected something changed on the ostel.co server, due to many users emailing support specifically about Jitsi connectivity to ostel.co. The common question was why did it work a few weeks ago and now it doesnt anymore?
The tl;dr follows, skip to keyword CONCLUSION to hear only the punch line.
To support n8fr8s hypothesis, there was a small change to the server but I want convinced it effected anything since all my clients continued to work properly, including Jitsi. Obviously something had changed but none of us knew what it was. After some testing we discovered the problem was related to insecure connections from Jitsi to UDP port 5060 on ostel.co. Secure connections (on TCP port 5061) continued to work as expected.
To make matters more confusing, I could register and make calls with two different clients (CSipSimple and Linphone) on the same network (my home ISP, Verizon FiOS) using an insecure connection to ostel.co on UDP port 5060.
At this point I was like WTF?
I went back to the server, diffed all the configs, checked server versions, connected with every client I could find that would run on any of my computers. The only change was a Kamailio upgrade from 4.0.1 to 4.0.2. A minor point release. The problem with Jitsi remained. What could the server be doing to this poor client?
I did a packet trace on the ostel.co servers public network interface, filtered to dump packets only on UDP port 5060 that match my SIP username. I opened Jitsi and things got interesting. For the curious, heres the utility and options I used. If you are new to operating a SIP network, ngrep is an excellent tool for debugging.
ngrep -d eth0 -t -p -W byline foo port 5060
Ill include an excerpt (Ive included only the relevant headers for this issue) of the initial request from Jitsi. IP addresses and usernames have been changed to protect the innocent.
U 2013/07/19 22:17:34.920749 0.0.0.0:5060 -> 66.151.32.200:5060 REGISTER sip:ostel.co SIP/2.0. CSeq: 1 REGISTER. From: "foo"
# U 2013/07/19 22:17:34.921155 66.151.32.200:5060 -> 0.0.0.0:5060 SIP/2.0 401 Unauthorized. CSeq: 1 REGISTER. From: foo
If you read the response, youll see Kamailio sent 401 Unauthorized. This is normal for SIP authentication. A second client request should follow it, which should contain an Authorization header with an md5 and a nonce. When Kamailio receives this request, checks the auth database and sends a 200 OK response, the client is authenticated.
The SIP dialog looks good but Jitsi continues not to register. The dialog flow is cut off after the 401 Unauthorized response. Its almost like something has blocked the response to the client.
Since I could register Linphone using the same account, I did the same trace for that client. Heres the excerpt.
U 2013/07/19 22:33:18.372770 0.0.0.0:42680 -> 66.151.32.200:5060 REGISTER sip:ostel.co SIP/2.0. Via: SIP/2.0/UDP 0.0.0.0:49153;rport;branch=z9hG4bK359459505. From:
# U 2013/07/19 22:33:18.373112 66.151.32.200:5060 -> 0.0.0.0:42680 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 0.0.0.0:49153;rport=42680;branch=z9hG4bK359459505. From:
This 401 Unauthorized response was received by the client and the follow up request with the Authorization header was sent with the correct digest. Linphone registered. I made a call. Everything worked fine. Indeed WTF?
I stared at these traces for a while to get a clue. Look again at the first line of the request from Jitsi. Youll see a timestamp followed by two IP:port pairs. Notice the port on the first IP is 5060 and the port on the second IP is also 5060. This means that the source port used by Jitsi on my home network is UDP port 5060. In order for a response to come back to Jitsi, it must enter my network on the same port it exited. Now read the top line of the response from Kamailio. Indeed, the server sent the response to UDP port 5060.
Now look at the same flow for Linphone. There is a very different source port in that dialog. In this case, Kamailio sent the response to UDP port 42680 and Linphone received it. Also notice the IP address used by Kamailio as the destination of the response is the same one in the dialog from Jitsi.
The question remained, why cant Jitsi get the same kind of SIP response on UDP port 5060? Why is Jitsi using a single source port for outgoing traffic anyway? That value can be dynamic. I configured Jitsi to use a different port for insecure SIP. It has an advanced configuration for SIP with the key SIP client port. I set this to 5062 (5061 is conventionally used for secure SIP traffic so I incremented by 2) and tried to register again.
SUCCESSSSSSSSSSSS!
To be thorough, I changed Jitsis SIP port again to a 5 digit number I randomly typed on my keyboard without looking.
SUCCESSSSSSSSSSSS!
So if Jitsi can register to Kamailio on any port other than UDP port 5060, WTF is going on? I had a suspicion. I tried one more test before I called it. I configured Jitsi to connect on TCP port 5060. It registered successfully. Now I know whats going on. I have a sad
CONCLUSION
My ISP, Verizon FiOS, has a firewall running somewhere upstream (it could be on the router they provided, I havent checked yet) that blocks incoming UDP traffic to port 5060. This probably falls under their TOS section which forbids running servers since Verizon provides voice services for an additional fee on top of data service, despite both running over the same fiber connection to my house. It seems like Verizon doesnt want their data-only customers to get in the way of that sweet cheddar delivery each month in exchange for phone service.
This sucks on two levels.
LEVEL 1
Why is my ISP censoring my incoming traffic when I have 5 mbps of incoming bandwidth? I assume the answer is because they can. *desolate frowny face*
LEVEL 2
Why doesnt Jitsi use a dynamic source port for SIP requests? I assume the answer is Jitsi is open source, why dont I change this and send a patch upstream?
Both levels are formidable challenges to overcome. Convincing Verizon to play nice on the Internet feels like a vanity project. Im writing that off. To make a change to the SIP stack in Jitsi is well within the area of the GP teams expertise, myself included but its not a trivial undertaking. Since this is a default configuration change there is probably a reason upstream devs made this choice so in addition to the programming work theres the work to convince the developers this would be a change worth a new release.
Since this is specific to Jitsi, Im going to follow up with the developers and see if I missed anything. Stay tuned for part two.
Thanks for listening. Stay safe!
Read the original:
Jitsi, ostel.co and ISP censorship | The Guardian Project
- How to Deploy Jitsi Meet with Docker on Ubuntu 20.04 - March 31st, 2023 [March 31st, 2023]
- Jitsi Meet review | TechRadar - February 18th, 2023 [February 18th, 2023]
- Zoom vs Jitsi for video conferencing? | ONLYOFFICE Blog - February 18th, 2023 [February 18th, 2023]
- IFrame API | Jitsi Meet - GitHub Pages - November 25th, 2022 [November 25th, 2022]
- Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet - October 17th, 2022 [October 17th, 2022]
- Best Video Calling Apps: Zoom, Skype, Hangouts, Jitsi And More On Test - Which? - Which? - October 11th, 2022 [October 11th, 2022]
- When is it a good idea to turn off the camera during a video call - Aviation Analysis Wing - March 18th, 2022 [March 18th, 2022]
- Rwanda: Wave of Free Speech Prosecutions - Human Rights Watch - March 18th, 2022 [March 18th, 2022]
- 8x8 Video Conferencing API | 8x8 - February 19th, 2022 [February 19th, 2022]
- Video-as-a-Service Market is Expected to Generate Huge Profits by 2021 2026 Bulk Solids Handling - Bulk Solids Handling - October 3rd, 2021 [October 3rd, 2021]
- Android SDK Jitsi Meet Handbook - September 29th, 2021 [September 29th, 2021]
- Brave is taking the video conferencing fight to Zoom - Techradar - September 27th, 2021 [September 27th, 2021]
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021 [September 24th, 2021]
- Brave Talk, a new private video conferencing service tied to the web browser - InTallaght - September 24th, 2021 [September 24th, 2021]
- Brave gets a video call service integrated with the browser and leaves no traces The Clare People - The Clare People - September 24th, 2021 [September 24th, 2021]
- How To Install Jitsi Meet on Ubuntu 18.04 | DigitalOcean - August 2nd, 2021 [August 2nd, 2021]
- Zoom launches Zoom Apps and Zoom Events 'to empower the hybrid workforce' - iTWire - July 25th, 2021 [July 25th, 2021]
- Google Meets limiting free group calls to an hour what are your options? - The Next Web - July 14th, 2021 [July 14th, 2021]
- Its Official: We ODd on the Internet - OneZero - OneZero - June 13th, 2021 [June 13th, 2021]
- Is it the same as google duo? Explica .co - Explica - June 13th, 2021 [June 13th, 2021]
- Tips on Cybersecurity for Students and Teachers - Al-Fanar Media - June 4th, 2021 [June 4th, 2021]
- What is Jitsi Meet and how does it work the best free open source alternative to Zoom and Google Meet | Technology Explica .co - Explica - May 14th, 2021 [May 14th, 2021]
- Choose Your Own Adventure in the Virtual World - Observatory of Educational Innovation - April 19th, 2021 [April 19th, 2021]
- How Artists Used the Discord App to Build Community During COVID-19 - Hyperallergic - March 31st, 2021 [March 31st, 2021]
- How to Self Host Jitsi Meet With Docker [Step by Step Guide] - March 11th, 2021 [March 11th, 2021]
- Protesting in the Age of Mass Surveillance - EFF - March 11th, 2021 [March 11th, 2021]
- Jitsi | Quick Install | Advance Configuraton | Some Fixes - March 7th, 2021 [March 7th, 2021]
- Market trends and outlook coupled with factors driving and restraining the growth of the Web Conferencing market Jumbo News - Jumbo News - February 16th, 2021 [February 16th, 2021]
- Jenny Turner Ready to Go Off LRB 18 February 2021 - London Review of Books - February 16th, 2021 [February 16th, 2021]
- Want a goat to stand in for you on Zoom? Itll cost you around R102 for 5 minutes - SowetanLIVE - February 8th, 2021 [February 8th, 2021]
- Keeping mindfulness and employee health at the forefront: app reviews - Tech Wire Asia - February 8th, 2021 [February 8th, 2021]
- Inside job: Why Zoombombing isnt as random as you might think - Digital Trends - February 8th, 2021 [February 8th, 2021]
- Tech Trends 2021: All You Need To Know - CCM - January 17th, 2021 [January 17th, 2021]
- Comprehensive Report on Web Conferencing Market 2021 | Trends, Growth Demand, Opportunities & Forecast To 2027 |IBM, ReadyTalk, Adobe, ezTalks,... - January 9th, 2021 [January 9th, 2021]
- Jitsi Meet: Open Source Zoom Alternative - December 19th, 2020 [December 19th, 2020]
- Jitsi Meet - Download - December 19th, 2020 [December 19th, 2020]
- How to Install Jitsi Meet on CentOS 8 - RoseHosting - December 19th, 2020 [December 19th, 2020]
- New 8x8 CEO expected to improve business operations - TechTarget - December 19th, 2020 [December 19th, 2020]
- Is HelmChat Free Helmet Comm Solution A Good Alternative? - RideApart - September 18th, 2020 [September 18th, 2020]
- How to recreate water cooler moments in the virtual workplace - Quartz - August 13th, 2020 [August 13th, 2020]
- Our right to health and the COVID-19 pandemic - Davao Today - June 13th, 2020 [June 13th, 2020]
- A look at how Jitsi became a 'secure' open-source alternative to Zoom - The Next Web - May 24th, 2020 [May 24th, 2020]
- How the Covid-19 Lockdown Is Reshaping Uighur Activism - The Nation - May 24th, 2020 [May 24th, 2020]
- TikTok now gives you one-tap access to streaming app Resso - The Next Web - May 24th, 2020 [May 24th, 2020]
- Tips on Running a Remote Animation Studio - Animation World Network - May 24th, 2020 [May 24th, 2020]
- Adapting from Home: This Weeks View of Video Meeting Triumphs and Concerns - Yahoo Finance - March 31st, 2020 [March 31st, 2020]
- 8 Best Zoom Alternatives for Video Conferencing and Webinars - Beebom - March 31st, 2020 [March 31st, 2020]
- Jitsi Downloads - iOS & Android apps; Jitsi Meet, & Jitsi ... - March 26th, 2020 [March 26th, 2020]
- What Is the Most Secure Video Conferencing Software? - VICE - March 26th, 2020 [March 26th, 2020]
- Home schooling tips: The things I wish I'd known before the schools went into lockdown - Telegraph.co.uk - March 26th, 2020 [March 26th, 2020]
- Fox Sports 1 Utilized Video Call Center to Extend Reach of Shows Like The Herd with Colin Cowherd - Sports Video Group - December 22nd, 2019 [December 22nd, 2019]
- Fox Sports 1 Dials Up VCC for The Herd With Colin Cowherd - TV Technology - December 22nd, 2019 [December 22nd, 2019]
- Gladstone gold does club proud - Gladstone Observer - July 19th, 2017 [July 19th, 2017]
- Jitsi | Futurist Transhuman News Blog - euvolution.com - July 10th, 2017 [July 10th, 2017]
- FAQ | Jitsi | Prometheism.net euvolution.com | Futurist ... - July 5th, 2017 [July 5th, 2017]
- FAQ | Jitsi | Futurist Transhuman News Blog - June 29th, 2017 [June 29th, 2017]
- Tsirang vegetable vendors commit to selling local chillies - Kuensel, Buhutan's National Newspaper - June 27th, 2017 [June 27th, 2017]
- FAQ | Jitsi | Prometheism.net - euvolution.com - June 26th, 2017 [June 26th, 2017]
- FAQ | Jitsi - June 25th, 2017 [June 25th, 2017]
- Jitsi - PediaView.com - June 14th, 2017 [June 14th, 2017]
- How to Configure and Set-Up Jitsi - Liberty Under Attack - June 6th, 2017 [June 6th, 2017]
- Jitsi Meet (advanced) Projects - May 23rd, 2017 [May 23rd, 2017]
- Diaspora* and Other Free Software Are Available in the Occitan Language, Thanks to Volunteer Translators - Global Voices Online - May 23rd, 2017 [May 23rd, 2017]
- Online privacy guide for journalists - Radioinfo (subscription) - May 18th, 2017 [May 18th, 2017]
- Your Essential List of 7 Productivity Hacks and Time Management Tips - Business 2 Community - May 11th, 2017 [May 11th, 2017]
- Encrypted Chat Took Over. Let's Encrypt Calls, Too - Huffington Post - April 25th, 2017 [April 25th, 2017]
- 5 Apps You Didn't Know You Needed - Syracuse University News - April 3rd, 2017 [April 3rd, 2017]
- Jitsi Meet - Android Apps on Google Play - March 9th, 2017 [March 9th, 2017]
- Snowden helping develop tools to protect journalists and whistleblowers - 'to make the game a little more fair' - Press Gazette - February 15th, 2017 [February 15th, 2017]
- Edward Snowden's New Job: Protecting Reporters From Spies - WIRED - February 14th, 2017 [February 14th, 2017]
- Jitsi for Windows - Secure Instant Messaging and VoIP - February 11th, 2017 [February 11th, 2017]
- Jitsi for Mac - Download - jitsi.en.softonic.com - February 6th, 2017 [February 6th, 2017]
- Jitsi softphone for Windows OnSIP Support - November 23rd, 2016 [November 23rd, 2016]
- Trying to install jitsi meet with apache2 - Stack Overflow - October 29th, 2016 [October 29th, 2016]
- Jitsi - Wikipedia - October 27th, 2016 [October 27th, 2016]
- Jitsi - Mensajera instantnea segura de texto, audio y ... - August 10th, 2016 [August 10th, 2016]
- Jitsi - Quora - May 31st, 2016 [May 31st, 2016]
- Chocolatey Gallery | Jitsi 2.8.5426 - May 28th, 2016 [May 28th, 2016]
- Jitsi - - May 24th, 2016 [May 24th, 2016]
- Jitsi - FreeBSD Wiki - May 22nd, 2016 [May 22nd, 2016]